Web Firms Have Sorry Record on Public's Privacy

Internet businesses love nothing more than self-regulation. They just want to be left alone, free from government meddling, to serve their shareholders and the public interest by building the new economy. But no issue demonstrates their hypocrisy better than how they handle the issue of privacy.
Consider that of 29,000 Web sites surveyed recently, fewer than 23% posted a privacy policy of any kind--and only a fraction of those policies offer meaningful protections for users. That's according to a survey to be released soon to the public on http://www.privacyratings.com, a site operated by San Diego-based start-up Enonymous.com. The company makes an "e-wallet" product that allows Web shoppers to make purchases without revealing their personal information.

Meanwhile, other surveys show that Web users are growing apoplectic over the sale or disclosure of their personal data to merchants and Web marketers who deluge them with junk e-mail. Millions of potential online shoppers have avoided e-commerce because of fear that vendors will abuse their trust, according to Forrester Research in Cambridge, Mass.

Such attitudes can hardly be surprising, given that egregious violations of online privacy have become commonplace.
For example, RealNetworks, a leading Web multimedia company, last year was found to have been tracking the listening habits of users of its Web audio players.
Last month the Federal Trade Commission opened an inquiry into Amazon.com's Alexa Internet division. Alexa, a tool that works with Web browsers, provides detailed information on a Web site's popularity and offers reviews of the site's services and links to related sites. The investigation concerns how Alexa may be surreptitiously collecting user Web-surfing data and passing it along to Amazon, among others.

Yet don't expect the abuses to stop. The ratings offered by Enonymous.com suggest that even sites with privacy policies offer scant protection. Their ratings award zero to four stars based on how much protection a Web site promises. The results:
* Some 77.3% of all sites surveyed earned zero stars and offer no privacy policies.
* 7.7% got one star, meaning that users have no privacy rights. The site may contact you, and your identifiable personal information can be shared or sold to others without your permission.
* 8.8% were two-star sites, signifying that the site may contact you without permission but will share your data only with your explicit permission.
* 2.7% earned three stars, denoting that the site will not contact you or share your personal data without your explicit permission.
* Only 3.5% earned four stars, meaning they will not contact you without explicit permission and will not share your data under any circumstances.
The record is a little better at the Web's 200 busiest sites--which presumably have the greatest stake in being sensitive to users' concerns: 22.5% of them earned three or four stars, though 62% received zero or one star. Among the Web's biggest sites, only America Online earned four stars; Yahoo, EBay and MSN all got one.
It turns out your privacy is even more jeopardized on Web sites run by nonprofit groups (those with .org at the end of their Web addresses) and educational sites (those ending in .edu). Fully 85.6% of nonprofit groups and 96.8% of educational sites offer no policy on personal privacy. Government sites (.gov) did better, with 69.3% offering policies and 36% earning four stars.
The larger lesson of the Privacy-ratings.com survey may be that "most privacy polices are worse than useless--privacy disclaimers putting people on notice that their privacy is being taken away," said Jason Catlett, founder and president of Junkbusters, a Green Brook, N.J., privacy consulting group.
"The fact that a car manufacturer discloses that their brakes fail most of the time doesn't make it OK," he added.

Moreover, the criteria used by Privacyratings.com leave out factors seen as crucial by privacy advocates such as the nonprofit Washington-based Electronic Privacy Information Center. The group suggests allowing users to view and correct any personal data collected about them, and to limit profile-based advertising--that is, ads that target consumers based on each individual's Web-surfing habits.

Then there is the question of whether sites follow their stated policies.
"Think about the effective redress you have under current law" if a policy is violated, Catlett said. "Are you going to sue the company for breach of contract if you get 'spammed' by them, or if they sell your name? How are you even going to find out?"
How many more episodes like those involving RealNetworks and Amazon must we endure before the industry owns up to the fact that its commercial interests are antithetical to preserving Web users' privacy?

Software that protects all e-mail and Web surfing from prying eyes can help, but it is still too costly or complex for many users. The best hope for regaining some control over our personal information depends on tough regulations by the federal government.